Open lduriez opened 5 months ago
Our current syntax uses JSON Pointer. So we could support this if it does.
Actually I don't know if JSON Pointer allow it, but I could do it with logstash with the following configuration :
filter{
ruby {
code => '
if event.get("[action]") == "BLOCK" || event.get("[action]") == "CHALLENGE"
event.set("terminatingRule.ruleId", event.get("[ruleGroupList][-1][terminatingRule][ruleId]"))
event.set("terminatingRule.action", event.get("[ruleGroupList][-1][terminatingRule][action]"))
event.set("terminatingRule.ruleMatchDetails", event.get("[ruleGroupList][-1][terminatingRule][ruleMatchDetails]"))
end
'
}
}
But I manage to achieve what I want on my use case by doing this :
processor:
- flatten:
source: "ruleGroupList"
target: "ruleGroupList_flattened"
exclude_keys: ["ruleGroupId","nonTerminatingMatchingRules","excludedRules","customerConfig"]
remove_list_indices: true
flatten_when: /action != "ALLOW"
- add_entries:
entries:
- key: "/terminatingRule/ruleId"
format: "${/ruleGroupList_flattened/[].terminatingRule.ruleId}"
- delete_entries:
with_keys: ["ruleGroupList_flattened"]
Input looks like :
{
"ruleGroupList": [
{
"ruleGroupId": "arn:aws:wafv2:us-east-1:***:global/rulegroup/secret",
"terminatingRule": null,
"nonTerminatingMatchingRules": [],
"excludedRules": null,
"customerConfig": null
},
{
"ruleGroupId": "AWS#AWSManagedRulesCommonRuleSet",
"terminatingRule": null,
"nonTerminatingMatchingRules": [],
"excludedRules": null,
"customerConfig": null
},
{
"ruleGroupId": "AWS#AWSManagedRulesKnownBadInputsRuleSet",
"terminatingRule": null,
"nonTerminatingMatchingRules": [],
"excludedRules": null,
"customerConfig": null
},
{
"ruleGroupId": "AWS#AWSManagedRulesPHPRuleSet",
"terminatingRule": null,
"nonTerminatingMatchingRules": [],
"excludedRules": null,
"customerConfig": null
},
{
"ruleGroupId": "AWS#AWSManagedRulesLinuxRuleSet",
"terminatingRule": null,
"nonTerminatingMatchingRules": [],
"excludedRules": null,
"customerConfig": null
},
{
"ruleGroupId": "AWS#AWSManagedRulesSQLiRuleSet",
"terminatingRule": null,
"nonTerminatingMatchingRules": [],
"excludedRules": null,
"customerConfig": null
},
{
"ruleGroupId": "AWS#AWSManagedRulesUnixRuleSet",
"terminatingRule": null,
"nonTerminatingMatchingRules": [],
"excludedRules": null,
"customerConfig": null
},
{
"ruleGroupId": "AWS#AWSManagedRulesBotControlRuleSet",
"terminatingRule": {
"ruleId": "CategoryHttpLibrary",
"action": "BLOCK",
"ruleMatchDetails": null
},
"nonTerminatingMatchingRules": [],
"excludedRules": null,
"customerConfig": [
{
"name": "InspectionLevel",
"value": "COMMON"
},
{
"name": "EnableMachineLearning",
"value": "null"
}
]
}
]
}
Output looks like :
{
"terminatingRule": {
"ruleId": "CategoryHttpLibrary"
}
}
Hello
Is your feature request related to a problem?
It may already be possible, but I would like a mutate to retrieve last item of a list. For example:
Would become:
Additional context
I tried with
add_entries
and using-1
to get it:But it didn't work I had the following error: